How to Run a Cyber Risk Assessment for an Energy Operator

Step 1: Define Scope and Essential Functions

Begin by defining what the assessment covers and, crucially, which essential functions the organisation delivers, because the CAF is organised around protecting those functions. Identify the systems, networks and data that support generation, transmission, distribution or supply, and draw a clear boundary between in-scope OT and IT. A vague scope produces a vague assessment, so this step deserves real time.

• Name the essential functions the operator delivers
• Identify the OT and IT systems supporting each function
• Agree the assessment boundary with stakeholders
• Confirm regulatory scope under the NIS Regulations

Step 2: Build a Threat Profile

Map the assessment to a realistic threat profile rather than a generic list. For energy operators that means ransomware crews, nation-state actors and insider risk, with attention to the initial-access routes that actually feature in incidents: phishing, exposed remote access and supply-chain compromise. Grounding the assessment in your real exposure keeps later prioritisation honest.

• Characterise relevant actors: criminal, state and insider
• Identify likely initial-access routes for your estate
• Reference real sector incidents to calibrate likelihood
• Note any high-consequence safety scenarios

Step 3: Assess Against the CAF Objectives

The CAF is structured into four objectives covering risk management, protection against attack, detection and minimising impact. Work through each contributing outcome and judge, with evidence, whether the operator achieves it, partially achieves it or does not. This produces a structured picture of where the organisation stands against the same framework the competent authority will use.

• Objective A: managing security risk and governance
• Objective B: protecting against cyberattack
• Objective C: detecting cyber security events
• Objective D: minimising the impact of incidents

Step 4: Identify and Prioritise Risk

Turn the control gaps into risks expressed in terms of likelihood and impact on essential functions. Prioritise ruthlessly: a gap in segmentation or remote access that exposes control systems outranks a low-impact policy gap. Express each risk in business terms so leadership can make informed decisions about tolerance and investment.

• Translate control gaps into likelihood and impact ratings
• Weight impact by effect on essential functions and safety
• Rank risks so the most consequential surface first
• Record the organisation risk appetite for each

Step 5: Produce a Treatment Plan

An assessment is only useful if it drives action, so close with a prioritised treatment plan that names owners, timelines and the residual risk after each control is applied. Sequence the work so the highest-impact fixes, typically segmentation, remote access and monitoring, come first. The plan doubles as the evidence trail that demonstrates due diligence to Ofgem and the NCSC.

• Define treatments with named owners and deadlines
• Sequence highest-impact controls first
• State residual risk for each treatment
• Schedule reassessment to track progress

How Kyanite Blue and Hadrian Help

Kyanite Blue runs CAF-aligned cyber risk assessments for energy operators and uses Hadrian continuous attack surface management to ground the exercise in reality. Rather than relying on a point-in-time questionnaire, Hadrian continuously discovers internet-facing assets and exploitable exposures from an attacker perspective, so the threat profile and risk ranking reflect what is actually reachable. We then turn the findings into a prioritised treatment plan and the evidence your competent authority expects.

Frequently Asked Questions